"We are not as strong as we think we are" 

• Rich Mullins 



<6Hz or bust! 



leveraging the power of the 
chipcon 1111 
(and RFCAT) 



0x1000 - intro to <GHz 

• FCC Rules(title 47) parts 15 and 18 allocate and govern parts of the 
RF spectrum for unlicensed ISM in the US (US adaptation of the ITU 
R 5.138, 5.150, and 5.280 rules) 

- Industrial - power grid stuff and more! 

- Science - microwave ovens? 

- Medical - insulin pumps and the like 

• US ISM bands: 

- 300:300 

- 433 : 433.050 - 434.790 MHz 

- 915: 902.000 -928.000 MHz 

- cd 1 1 1 does 300-348, 372-460, 779-928... but we've seen more. 

• Popular European ISM band: 

- 868 : 863.000 - 870.000 MHz 

• Other ISM includes 2.4 GHz and 5.8 GHz 

- cc2531.... hmmm... maybe another toy? 



0x1010 - what is <GHz? what plays t 



• Industry, Science, Medical bands, US and EU 

• Cell phones 

• Cordless Phones II || 

• Personal Two-Way Radios W B~T 1 

• Car Remotes r^^^MpI 

• Pink IM-ME Girl Toys! 

• Tl Chronos Watches 



Ipi I 




Medical Devices (particularly 401-402MHz, 402-405MHz, 405-406MHz) 



Power Meters 
custom-made devices 
Old TV Broadcast 
much, much more... 




0x1020 — how do we play with it? 



cd 1 10/cd 1 1 1 do 300-348MHz, 391 -464MHz, 782-928MHz 

- and more... 
RFCAT uses the CC1 1 1x on some common dongles 

- Chronos dongle (sold with every Tl Chonos watch) 
, - "Don's Dongles", aka Tl CC1 1 1 1 EMK 

r H > t i i x , 

J- IMME (currently limited to sniffer/detection firmware) 



but there are some catches 

- rf comms configuration? 

- channel hopping sequence? 

- bluetooth and DSSS? (not hap'nin) 




0x1030 - why do i care!? 



the inner rf geek in all of us 

your security research may require that you consider 
comms with a wireless device 



your organization may have 900MHz devices that 
should be protected! 



0x2 000 - ccllll summary -SPEED READER! 



modified 8051 core 



- 8-bit mcu 

- single-tick instructions 

- 256 bytes of iram 

- 4kb of xram 

- XDATA includes all code, iram, xram 

- execution happens anywhere :) 



• Full Speed USB 

• RfCat hides most of these details by default! 



0x20 



•IDLE 

•CAL 

•FSTXON 

•RX 

•TX 



Used for ca I ibrat.ng frequency 
synthesizer upfront (entering ,- "' M , f 
receive or transmit mode can „„„,,, . 
then be done quicker) . ^ ntn " calibration. 

Transitional state. 



< 



SRKof STX or SFSTXQN 



r~r«quc;n::y sy-it--;js 3i: . 
ready to start transmitting. 
Transmission starts very 
'.|L. '■ -: y iiftcr receiving the 
STX command strobe. 



Transmission is 
turned off and this 
s:ste s entered it 
the RFD register 
becomes empty in 
the middle of a 
packeL 
Typ. current 
consumption: 
1.8 mA 



Frequency Frequency synthesiser is turned on, can optionally 

.KynthcHize- ;-:tnrlup, be calibrated, and then settles to ■ Dor red f'equency. 

. optional cal.brat.on, , Trarisjtiona | state 
settling 




TXOFF_MODE=00 RXOFF_MODE=00 
0:)t • .in: I i: II :il;.l..-. 



TX Overflow 




RX Overflow 



Reception is turned 
off and this steto is. 
entered if the RFD 
register overflows. 



0x2020 — ccllll radio configuration 

• configuring the radio is done through updating a set of 
1-byte registers in varying bit-size fields 

- MDMCFG4 - MDMCFGO - modem control 

- PKTCTRL1 , PKTCTRLO - packet control 

- FSCTRL1 , FSCTRLO - frequency synth control 

- FREND1 , FRENDO - front end control 

- FREQ2, FREQ1 , FREQO - base frequency 

- MCSM1, MCSMO - radio state machine 

- SYNC1 , SYNCO - SYNC word, or the SFD 

- CHANNR, ADDR - channel and address 

- AGCCTRL2, AGCCTRL1 , AGCCTRLO - gain control 

• RfCat hides most of these details by default! 



0x2030 - Smart RF Studio ( f tw 



CC1 1 1 1 - Device Control Panel (offline} 




Data rate 
Data rate 



2 kBaud, 
4 kBaud , 
4 kBaud, 

.4 kBaud, 



Data rate: 250 kBaud, Dev. 



5 . 1 Zr.Z 

5.1 kHz 
5.1 kHz 
5.1 kHz 
20 kHz r 
20 kHz, 



.29 kHz, Med.: GFSK 



7-7. 3~~ 

fiX BH 
fiX BW: 

ax b;j 



Cp-oi-ized zz~ 
Cp-irr.ized rcr 
Optimized fox 
>:-.i:-.ized fcr ; 
Optimized foe c 
€00 kHz, Optimized foi 



c Qiisujr.pt ic 
ccnaumptii 
ent c cn3uir.pt i ci 



RF Parameters 

Base frequency 

|aS5.2996B3 ] Mh 
Xtal frequency 



J 4S.000000 j^J MHz 
Modulation format 



Channel number 
[° ±3 
Data rats 

1 1.19877 | kBaud 
Deviation 



5 126953 ^\ kHz 



Channel spacing 
■199.951172 | kHz 
RX filter BW 
52.500000 | kHz 
IX power 
C - dBm 



Carrier frequency 
|aS3.2996B3 ] MHz 

V Manchester enable 

r PA ramping 



Packet payload size: | 30 | p? Add seq. number 

Packet count: | 10Q | T Infinite 

(f Random <*7 de b2 12 id cS ^2 bb 5b a= 1f C2 Ea 7d OS 232E 1f Ed da cb fc 3? fE ^E 2b 12 Cd SB Ca 
r Text 
r Hex 



A 



Sent packets: 
Output power: 



B8S.2M6B3 MHz 



I0CFG2 

I0CFG1 

IOCFG0 

SYNC1 

SYNC0 

PKJLEN 

PKTCTRL1 

PKTCTRL0 

ADDR 

CHANNR 

FSCTRL1 

FSCTRLD 

FREQ2 

FREQ1 

FREQG 

MDMCFG4 

MDMCFG3 

MDMCFG2 

MDMCFG1 

MDMCFGQ 

DEVIATN 

MCSM2 

MCSM1 

MCSMO 

FOCCFG 

BSCFG 

AGCCTRL2 

AGCCTRL1 

AGCCTRLO 

FREND1 

FRENDQ 

FSCAL3 

FSCAL2 



Data Rate, Bandwidth, and Intermediate Frequency and Freq-Deviation depend on each other 



0x2100 - RfCat for devs 



cc1 1 1 lusb.c provides usb descriptors and framework 

- shouldn't need much tinkering 

cc1 1 1 1 rf.c provides the core of the radio firmware 

- shouldn't need much tinkering 

application. c provides the template for new apps 

- copy it and make your amazing toy 

txdata(buffer, length) to send data IN to host 

registerCbEP50UT() to register a callback function to handle data 
OUT from host 

- data is in ep5iobuf[] 

transmit(*buf 5 length) allows you to send on the RF pipeline 
appMainLoop() - modify this for handling RF packets, etc... 
follow the examples, luke! 

- RfCat's "application" source is appFHSSNIC.c 



0x3000 — radio info we want to know 



frequencies 

modulation (2FSK/GFSK, MSK, ASK/OOK, other) 
intermediate frequency (IF) 
baud rate 

channel width/spacing/hopping? 
bandwidth filter 
sync words / bit-sync 
variable length/fixed length packets 



data whitening? 

any encoding (manchester, fee, enc, etc..) 



0x3010 



— interesting frequencies 



• 315MHz -car fobs 

• 433MHz - medical devices, garage door openers 

• 868MHz - EU loves this range 

• 915MHz - NA stuff of all sorts (power meters, insulin 
pumps, industrial plant equipment, industrial backhaul) 

• 2.4GHz - 802.1 1/wifi, 802.1 5.4/zigbee/6lowpan, bluetooth 

• 5.8GHz - cordless phones 

• FREQ2, FREQ1, FREQ0 




0x3020 — modulations 

• 2FSK/GFSK - Frequency Shift Key 

- (digital FM) 

- cordless phones (DECT/CT2) 

• ASK/OOK - Amplitude Shift Key 

- (digital AM) 

- morse-code, car-remotes, etc... 



MSK - Minimal Shift Key (a type of quadrature shift 
modulation like QPSK) BHH 




MDMCFG2, DEVIATN 




0x3030 



— intermediate frequency 



• cc1 1 1 1 supports a wide range of 31 different IF options: 

- 23437 hz apart, from - 726.5 khz 

• Smart RF Studio recommends: 

- 140khzupto38.4kbaud 

- 187.5 khz at 38.4 kbaud 

- 281 khz at 250 kbaud 

- 351 .5khz at 500 kbaud 

• FSCTRL1 



ate an IF (heterodyne) 



IF that can be manipulated easily 



Amplitude 
m Modulated 

Corner 




f.T: ii( - T:. 

.in:; .■ >- iii:.:. |.i::iI m. 



Irsquencycariiar^difcad | 
toy tie mitfn# process. 




Diir«snca rrequancy 
carder wMlcSi felalns 

tfWiTOf&lflbrKj signal. 



0x3040 - data rate (baud) 

• much like your modems or old 

• the frequency of bits 

- some can overlap and get garbage! 
• garbage can be good... 

• baud has significant impact on IF, Deviation and 
Channel BW 

• seeing use of 2400, 19200, 38400, 250000 

• MDMCFG3 / 4 




0x3050 



— channel width / spacing 




0x3060 - bandwidth filter 

• programmable receive filter 

• provides for flexible channel sizing/spacing 

• total signal bw = signal bandwidth + (2*variance) 

• total signal bw wants to be les s than 80% bw filter! 

• MDMCFG4 




0x3070 — preamble / sync words 



identify when real messages are being received! 
starts out with a preamble (10 10 10 1 0...) 
then a sync word (programmable bytes) 

- marking the end of the preamble 

- aka 'SFD' - start of frame delimiter 
configurable to: 

- nothing (just dump received crap) 

- carrier detect (if the RSSI value indicates a message) 

- 15 or 16 bits of the SYNC WORD identified 

- 30 out of 32 bits of double-SYNC WORD 
SYNC1, SYNC0, MDMCFG2 



0x3080 — variable / fixed-length packet 



packets can be fixed length or variable length 
variable length assumes first byte is the length 
both modes use the PKTLEN register: 

- Fixed: the length 

- Variable: MAX length 
PKTCTRLO, PKTLEN 



ckets 
jth byte 



0x3090 - CRC - duh, but not 

• crc16 check on both TX and RX 

• uses the internal CRC (part of the RNG) seeded by Oxffff 

• DATA_ERROR flag triggers when CRC is enabled and fails 

• some systems do this in firmware instead 

• PKTCTRLO 



— Oplional data whitening- 



— Optionally FEC encoded/decoded— 



-Optional CRC-1 & calculation- 





1 








to 


Preamble bits 


s 






Data field 


RC-1 


(1010. ..1010) 


c 




I 




C 


< 







416/32 bits*: * hi 



Legend: 

□ Inserted automatically in TX. 
processed and removed in RX. 



J processed bui not removed in RX. 

□ Unprocessed user data {apart from FEC 
and/or whitening) 



Figure 51 : Packet Format 



0x30a0 — data whitening — 9 bits of pain 



ideal radio data looks like random data 

real world data can contain long sequences of or 1 

data to be transmitted is first XOR'd with a 9-bit sequence 

- sequence repeated as many times as necessary to 
match the data ^^^hc^^^^^sh 



PKTCTRLO 



0x30b0 — encoding 



manchester 



<*** J\JUUU\J\J\JUUUl_ 

Data _TlS1 I I □_ 

10100111001 



- MDMCFG2 
forward error correction B 

- convolutional i 

• MDMCFG1 ' 

- reed-solomon (not supported) »; 
encryption - AES in chip 



AtMrib^heet 




8wammm 



sorry , couldn f t resist 




BAP 



B£TT£1 



0x3100 — how can we figure it out!? 



open / public documentation 

- insulin pump published frequency 
open source implementation / source code 
"public" but harder to find (google fail!) 

- fcc.gov - search for first part of F 



>ition. fcc.gov/oet/ea/fccid/ 



- patents - a 



ittp://freepatentsonline.com 




http://www.freepatentsonline.com/8189577.html 
http://www.freepatentsonline.com/20090168846.pdf 



0x3101 — how can we figure it out!? - 



-part2 



reversing hw 

- tapping bus lines - logic analyzer 

• grab config data 

• grab tx/rx data 

- pulling and analyzing firmware 
hopping pattern analysis 

- arrays of dongles - space them out and record results 

- hedyattack, or something similar 

- spectrum analyzer 

- USRP2 or latest gadget from Michael Ossman 
trial and error - rf parameters 

MAC layer? - takes true reversing., unless you find a patent :) 



0x4000 - intro 2 FHSS - SPDY! 

• FHSS is common for devices in the ISM bands 

- provides natural protection against unintentional 

jamming /interferance 

- US Title 47 CFR 15.247 affords special power 

considerations to FHSS devices 

• >25khz between channels 

• pseudorandom pattern 

• each channel used equally (avg) by each transmitter 

• if 20db of hopping channel < 250khz: 

- must have at least 50 channels 

- average <0.4sec per 20 seconds on one channel 

• if 20dB of hopping channel >250khz: 

^ must have at least 25 channels 

- average <0.4sec per 10 seconds on one channel 




0x4010 — FHSS, the one and only - not ! 

• different technologies: 

- DSSS - Direct Sequence Spread Spectrum 

• hops happen more often than bytes (ugh) 

• typically requires special PHY layer 

- "FHSS" 

• hops occur after a few symbols are transmitted 

• different topologies: (allow for different synch methods) 

- point-to-point (only two endpoints) 

- multiple access systems (couple different options) 

• each cell has their own hopping pattern 

• each node has own hopping pattern 

• different customers: 

- military has used frequency hopping since Hedy and George submitted the 

patent in 1941. 

- commercial folks (WiFi, Bluetooth, proprietary stuff like power meters) 




0x4020 - FHSS intricacies 



what's so hard about FHSS? 

- must know or be able to come up with the hopping pattern 

• can be anywhere from 50 to a million distinct channel hops 

before the pattern repeats (or more) 

- must be able to synchronize with an existing cell or partner 

• or become your own master! 

- must know channel spacing 

- must know channel dwell time (time to sit on each channel) 

- likely need to reverse engineer your target 

- DSSS requires that you have special hardware 

military application will be very hard to crack, as it typically will have hops 
based on a synchronized PRNG to select channels 



0x4030 — FHSS, the saving graces 



any adhoc FHSS multi-node network: (power meters / sensor-nets) 

- node sync in a reasonable timeframe 

• limited channels in the repeated pattern 

- each node knows how to talk to a cell 

• let one figure it out, then tap the SPI bus to see what the 

pattern is... 

two keys to determining hopping pattern: 

- hop pattern generation algorithm 

• often based on the CELL ID 

- one pattern gets you the whole cell :) 

• others generate a unique pattern per node 

- some sync information the cell gives away for free 

• gotta tell the nOObs how to sync up, right? 

• for single-pass repeating sequences, it's just the channel 



0x4040 



— FHSS summary 



FHSS comes in different forms for different uses and 
different users 

FHSS is naturally tolerant to interference, and allows a 
device to transmit higher power than nonFHSS comms 

getting the FHSS pattern, timing, and appropriate sync 
method for proprietary comms can be a reversing 
challenge 

getting a NIC to do something with the knowledge 
gained above has - to date - been very difficult 



0x5000 



— intro to RfCat 



• RfCat: RF Chipcon-based Attack Toolset 

• RfCat is many things, but I like to think of it as an interactive 
python access to the <GHz spectrum! 



0x5010 — rfcat background 



the power grid 

- power meters and the folks who love them (yo cutaway, 

q, travis and josh!) 

- no availability of good attack tools for RF 
vendor at Distributech 2008: 

"Our Frequency Hopping Spread Spectrum is too fast 
for hackers to attack." 

• OMFW! really? 



0x5020 - rfcat goals 



RE tools - "how does this work?" 



security analysis tools - "your FHSS and Crypto is weak! 
satiate my general love of RF 



a little of Nevil Maskelyne 

"I will not demonstrate to any man who throws doubt upon the 
system" - Guglielmo Marconi, 1903 

- lulwut? 



0x5030 — rfcat f s interface 



- FHSS-capable NIC 

• some assembly may be required for FHSS to arbitrary devices 

- toolset for discovering/interfacing with RF devices 



rfcat server 



- access the <GHz band over an IP network or locally and 

configure on the fly 

- connect to tcp port 1900 for raw data channel 

- connect also to tcp port 1899 for configuration 



0x5050 — rfcat server 



bringing <GHz over the IP network! 

connect on TCP port 1900 to access the wireless network 

connect on TCP port 1899 to access the wireless configuration 

created to allow non-python clients to play too 

- stdin is not always the way you want to interact with 
embedded wireless protocols 



0x5060 — rfsnif f (pink version too! ) 



focused primarily on capturing data from the wireless network 
IMME used to provide a nice simple interface 
RF config adjustment using keyboard! 



5065 — rfsniff — key bindings 

a - inc/dec highest sync word nibble 

s - inc/dec high-middle sync word nibble 

cl - inc/dec low-middle sync word nibble 

f - inc/dec lowest sync word nibble 

- NO sync word matching 



menu - inc Modulation type 
byef - dec Modulation type 



up - inc recv bandwidth 
down - dec recv bandwidth 



Bright - inc baud rate 
left - dec bauclrate 



Enter - inc/dec frequency 

- faster inc/dec frequency 
m - even faster inc/dec frequency 

- set freq to 91 5mhz 

- set freq to 868mhz 

- set freq to 433mhz 

- set freq to 31 5mhz 
v - inc/dec channels 

- set channel = 




SPACE - 
SPKR - 



switch screens 

toggle CARRIER TX mode [good for showing up on a SpecAn, or, umm, jamming?) 



0x5070 — rfcat wicked coolness — WORK- 



RK-PIX 



d._debug = 1 - dump debug messages as things happen 
d.debug() - print state infoz once a second 
d. discover^) - listen for specific SYNCWORDS 
d.lowball() - disable most "filters" to see more packets 
d.lowballRestore() - restore the config before calling lowball() 
d.RFIisten() - simply dump data to screen 
d.RFcapture() - dump data to screen, return list of packets 
d.SCanQ - scan a configurable frequency range for "stuff 
print d.reprRadioConfig() - print pretty config infoz 
d.setMdm*() d.setPkt*() d.make*() 



0x5100 — example lab setup 



example RF attack lab setup: 

- dongle "Gina" running hedyattack speoan code 

- dongle "Paul" running rfcat 

- IMME running rfsniff 

- (possibly an IMME's running SpecAn) 

- saleae logic analyzer for hacking of the wired variety 

- FunCube Dongle and quisk/qthid or other SDR 



rf attack form 

• basefreq: 

• modulation: 

• baud/bandwidth: 

• deviation: 

• channel hopping? 

- how many channels: channel spacing: 

- pattern and effective sync method? dwell period (ms): 

• fixed-/variable-length packets: len/maxlen: 

• "address": 

• sync word (if applicable): 

• crc16 (y/n): does chip do correct style? 

• fee (y/n): type (convolutional/reed-soloman/other): 

• manchester encoding (y/n): 

• data whitening? and 9bit pattern: 

• more complete information: 



"esources/rf-recon-form.pdf 



0x6000 — playing with medical devic 



CAUTION: MUCKING WITH THESE CAN KILL PEOPLE. 



- THIS FIRMWARE AND CLIENT NOT PROVIDED 

found frequency in the pdf manual from the Internet 



- what random diabetic cares what frequency his pumf 

communicates with!? ok, who cares! 

modulation guessed based on spectrum analysis and trial/er 

- the wave form just looks like <blah> modulation! 

other characteristics discovered using a USRP and baudline 
(and some custom tools, thanks Mike Ossman!) 



es 

EOPLE. 

nis pump 

d trial/error 
tion! 



0x6010 — the discovery process 



glucometer was first captured using Spectrum Analyzer ^* B ^ S 
(IMME/hedyattack) to validate frequency range from the lay- 
documentation 

next a logic analyzer (saleae) used to tap debugging lines 

next, the transmission was captured using a USRP (thank you 
Mike Ossman for sending me your spare!) - alt: 

next, the "packet capture" was loaded into Baudline, and 
analysis performed to identify baudrate and modulation 
scheme, and get an idea of bits 

next, Mike Ossman did amazing-sauce, running 
the capture through GnuRadio Companion 
(the big picture on next slide) 

RF parameters confirmed through RF analysis, 
and real-life capture. 




0x6020 —the immaculate reception 

• punched in the RF parameters into a RFCAT dongle 

- created subclass of RFNIC (in python) for new RF config 
Dped into "discover" mode to ensure I had the modem right 




irned to normal NIC mode to receive real packets 
now need the pump to reverse the bi-dir protocol 




0x6100 — playing with a power meter 



CAUTION: MUCKING WITH power systems without appropriate 

AUTHORIZATION IS ILLEGAL, EVEN IF IT IS ON THE SIDE OF YOUR HOUSE! 

most power meters use their own proprietary "Neighborhood Area Network" 
(NAN), typically in the 900MHz range and sometimes 2.4GHz or licensed 
spectrum. 

to get the best reception over distance and gain tolerance to interference, all 
implement FHSS to take advantage of the Title 47: Part 15 power 
allowances 

many of the existing meters use the same cc1 111 or cc1 1 1 chips, or the 
cc1 101 radio core 

this is the reason I'm here today 




0x6110 — as sands through the hourglass 




power meter RF comms have long been "unavailable" for 
most security researchers 

some vendors understand the benefits of security 
rigor by outside researchers 

- others, however, do not. 

the gear used in my presentation was given to me by one 
who understands 

- for various reasons, they have asked to remain 

anonymous, however, their security team has a 
well founded approach to finding out "how their 
baby is ugly" I would like to give them credit for 
their commitment to the improved security of their 
products. 



atlas , tell us what you really think 




0x6120 — smart meter — the complication 



• power meters are not so simple as glucometers 

- proprietary FHSS in a multiple-access topology 

- have to endure the RF abuse of the large metropolis 

• complex mac sync/net-registration 

• not easy to show with a single meter without a Master node. 

• initial analysis was performed via my saleae LA: 

• SpecAn code on IMME's and hedyattack dongles 

- good for identifying periods of scanning 

• although the dongle can hop along with the meter, we won't be 
demoing synching with the meter today 



0x6130 — the approach 

• determine the rf config and hopping pattern through SPI Bus sniffing 
(and my saleae again) 




0x6140 — the approach (2) 



mode: 



disables sync-word so radio sends unaligned bi 



- algorithm looks for preamble (Oxaa or Ox 

- then determines possible dwords 

ummm... but that's not any bit-derivation of the sync word(s) I 
expect, wut? I am confident those are coming from the meter 

- intro: Bit Inversion (see highlighted hex) 



0x6145 — new developments 



vendors have filed numerous patents with hopping 
pattern calculations, comms parameters, etc 

- WIN! 

- plenty of work to be done! jump right in! 

• http://www.patentstorm.us/patents/7064679/fulltext.html 

• http://www. patentstorm . us/patents/7962 101 /f u I Itext. html 

• http://www.patentstorm.us/applications/20080204272/fulltext.html 

• http://www.patentstorm.us/applications/20080238716/fulltext.html 



"Abuse is no argument" 
- Nevil Maskelyne 





0x6150 - conclusions 



rfcat discover mode roxors 

rfcat is a foundation for your attack tool 

- way more than just a tool in itself 

are responsible for ensuring our devices use 
appropriate security, do not simply expect someone 
else to do it. the first med-device death could be your 
best friend. 
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